Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with unknown malware


  • This topic is locked This topic is locked
5 replies to this topic

#1 023

023

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:00 AM

Posted 01 November 2009 - 04:20 PM

I think that I have malware that is infecting explorer.exe and one of my services. Malwarebytes picked up 2 Trojan.Ransoms and removed them. Then on 10/29/2009 malwarebytes removed:
Files Infected:
C:\Documents and Settings\Current User\Local Settings\Apps\2.0\DP2W4OCD.QMY\XZLJYPJG.6Y4\clic...exe_9a8dfcd080ccb114_0001.0002_none_19406d71b53cc551\GoogleUpdateSetup.exe (Trojan.Ransom) -> Quarantined and deleted successfully.
C:\Documents and Settings\Current User\Local Settings\Apps\2.0\DP2W4OCD.QMY\XZLJYPJG.6Y4\goog...app_9a8dfcd080ccb114_0001.0002_d7d35fd2a0f2e170\GoogleUpdateSetup.exe (Trojan.Ransom) -> Quarantined and deleted successfully.

They seem to be replicating. The reason that I think that it may have infected exployer.exe is that when I renamed it and delected it - it reappears- and some of my taskbar icons disappear. The reason that I think that it may have infected one of my services is that I keep having problems with services that I have never had before. These problems are a
ffecting my printer. I uninstalled my printer and reinstalled it and I still cannot load some services. I have had success removing malware before but when they replicate-I am lost. Please HELP!!


DDS (Ver_09-10-26.01) - NTFSx86
Run by Current User at 14:32:56.29 on Sun 11/01/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2168 [GMT -6:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\acs.exe
C:\WINDOWS\Explorer2.exe
C:\ASUS.SYS\config\DVMExportService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ASUS\AI Nap\AiNap.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Corel\Corel MediaOne\Corel Photo Downloader.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\HP\Digital Imaging\bin\hpqdirec.exe
C:\Documents and Settings\Current User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.alltheinternet.com/
mURLSearchHooks: Advanced Searchbar: {57f02779-3d88-4958-8ad3-83c12d86adc7} -
mWinlogon: Shell=Explorer2.exe
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.7.2.11\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.7.2.11\IPSBHO.DLL
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.7.2.11\coIEPlg.dll
TB: Advanced Searchbar: {57f02779-3d88-4958-8ad3-83c12d86adc7} -
TB: {61D1C847-DF80-423A-8C6D-DC03B97E6EBE} - No File
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
{555d4d79-4bd2-4094-a395-cfc534424a05}
uRun: [HijackThis startup scan] c:\program files\trend micro\hijackthis\HijackThis.exe /startupscan
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Ai Nap] "c:\program files\asus\ai nap\AiNap.exe"
mRun: [ASUS Update Checker] c:\program files\asus\asusupdate\updatechecker\UpdateChecker.exe
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [Task Catcher] c:\progra~1\billps~1\taskca~1\tasktrap.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [TMRUBottedTray] "c:\program files\trend micro\rubotted\TMRUBottedTray.exe"
mRun: [Corel Photo Downloader] "c:\program files\corel\corel mediaone\Corel Photo Downloader.exe" -startup
StartupFolder: c:\docume~1\curren~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\curren~1\startm~1\programs\startup\stardo~1.lnk - c:\program files\stardock\objectdock\ObjectDock.exe
StartupFolder: c:\docume~1\curren~1\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\widgets\YahooWidgets.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\sonicc~1.lnk - c:\program files\common files\sonic shared\CineTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\stickies.lnk - c:\program files\stickies\stickies.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wordweb.lnk - c:\program files\wordweb\wweb32.exe
DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - hxxp://support.asus.com/common/asusTek_sys_ctrl.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlcdnet.asus.com/pub/ASUS/misc/dlm-activex-2.2.5.0.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1237918865687
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1239939302125
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.7.2.11\CoIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Authentication Packages = msv1_0 nwprovau

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\curren~1\applic~1\mozilla\firefox\profiles\h09i68b5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
FF - prefs.js: browser.search.selectedEngine - SearchGeek Search Engine
FF - prefs.js: browser.startup.homepage - www.alltheinternet.com
FF - prefs.js: keyword.URL - hxxp://mystart.incredimail.com/?loc=ff_address_bar_fs&search=
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\current user\application data\mozilla\firefox\profiles\h09i68b5.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPDFXCviewNPPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\tracker software\pdf viewer\npPDFXCviewNPPlugin.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\windows\system32\c2mp\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: browser.urlbar.hideGoButton - false
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 600000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 600000
FF - user.js: dom.disable_window_open_feature.menubar - true
FF - user.js: dom.disable_window_open_feature.minimizable - true
FF - user.js: dom.disable_window_open_feature.scrollbars - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1007020.00b\SymEFA.sys [2009-8-31 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1007020.00b\BHDrvx86.sys [2009-8-31 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1007020.00b\cchpx86.sys [2009-8-31 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20091021.001\IDSXpx86.sys [2009-10-22 329080]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-12-22 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 74480]
R2 DvmMDES;DeviceVM Meta Data Export Service;c:\asus.sys\config\DVMExportService.exe [2009-6-5 315392]
R2 LANPkt;Realtek LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [2009-6-22 8960]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-4-17 10384]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-10-29 269648]
R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.7.2.11\ccSvcHst.exe [2009-8-31 117640]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-9-6 604488]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-10-28 102448]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [2009-6-25 57344]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-10-29 19160]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
R3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [2009-6-25 57408]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-3-24 1684736]
S3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2009-4-1 93184]
S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [2009-6-22 11264]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2009-4-13 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2009-4-13 3072]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\curren~1\locals~1\temp\onlinescanner\anti-virus\fsgk.sys --> c:\docume~1\curren~1\locals~1\temp\onlinescanner\anti-virus\fsgk.sys [?]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\d-link\d-link dwa-552 xtreme n desktop adapter\jswpsapi.exe [2009-6-25 356434]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [2009-6-22 16640]
S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\tmpassthru.sys --> c:\windows\system32\drivers\TMPassthru.sys [?]
S4 GreenPrint;GreenPrint;c:\program files\greenprint\gpsrht01.exe --> c:\program files\greenprint\GPSRHT01.exe [?]

=============== Created Last 30 ================

2009-11-01 06:31:23 0 d-----w- c:\temp\DMTemp
2009-11-01 06:20:25 0 d-----w- c:\program files\Tracker Software
2009-11-01 03:29:01 0 d-----w- c:\docume~1\alluse~1\applic~1\SecTaskMan
2009-11-01 03:28:52 0 d-----w- c:\program files\Security Task Manager
2009-10-31 22:53:21 0 d-----w- c:\windows\twain_32
2009-10-31 22:53:20 0 d-----w- c:\program files\common files\HP
2009-10-31 22:48:42 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
2009-10-31 22:48:36 49920 ----a-r- c:\windows\system32\drivers\HPZid412.sys
2009-10-31 22:48:26 179652 ----a-w- c:\windows\hpwins14.dat
2009-10-31 22:48:25 1108 ----a-r- c:\windows\hpwmdl14.dat
2009-10-31 22:48:05 271704 ----a-r- c:\windows\system32\hpzids01.dll
2009-10-31 22:47:32 364544 ----a-r- c:\windows\system32\hppldcoi.dll
2009-10-31 22:47:32 309760 ----a-r- c:\windows\system32\difxapi.dll
2009-10-31 22:47:31 970752 ----a-r- c:\windows\system32\hpwtiop3.dll
2009-10-31 22:47:31 294912 ----a-r- c:\windows\system32\hpovst11.dll
2009-10-31 22:47:30 729088 ----a-r- c:\windows\system32\hpwwiax3.dll
2009-10-31 22:39:22 0 d-----w- c:\program files\HP
2009-10-31 21:20:52 0 d-----w- c:\program files\FileASSASSIN
2009-10-31 20:44:04 0 dc-h--w- c:\windows\ie8
2009-10-31 20:18:45 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-30 03:24:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-30 03:24:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-30 03:24:07 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-30 01:12:08 299520 ----a-w- c:\windows\uninst.exe
2009-10-30 01:11:32 0 d-----w- c:\documents and settings\current user\WINDOWS
2009-10-29 00:35:25 0 d--h--w- C:\ASUS.000
2009-10-29 00:35:12 177 ---h--w- C:\dvmexp.idx
2009-10-29 00:30:00 0 d--h--w- c:\temp\dvmexp
2009-10-29 00:29:56 0 d--h--w- c:\temp\tmpdvmexp
2009-10-29 00:29:56 0 d--h--w- C:\dvmexp
2009-10-29 00:21:10 0 d--h--w- C:\ASUS.SYS
2009-10-26 05:05:31 11832 ----a-w- c:\windows\system32\drivers\AsInsHelp64.sys
2009-10-26 05:05:31 10216 ----a-w- c:\windows\system32\drivers\AsInsHelp32.sys
2009-10-26 04:26:02 1769 ----a-w- c:\windows\Language_trs.ini
2009-10-24 23:30:08 81920 ----a-w- c:\windows\system32\Startup.cpl
2009-10-24 05:48:28 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-10-24 05:48:27 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-22 04:48:32 160272 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-10-22 04:48:32 0 d-----w- c:\documents and settings\current user\log
2009-10-22 03:20:27 0 d-----w- c:\docume~1\curren~1\applic~1\Uniblue
2009-10-19 03:01:10 0 d-----w- C:\Dive C Images
2009-10-19 02:26:36 0 d-----w- c:\docume~1\alluse~1\applic~1\Macrium
2009-10-18 20:22:38 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-10-18 07:10:47 4436 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-10-18 07:10:47 39152 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-10-18 07:10:47 35872 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-10-18 07:10:47 2765088 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-10-18 07:10:41 3518 ----a-w- C:\rollback.ini
2009-10-18 07:06:33 0 d-----w- c:\program files\common files\ParetoLogic
2009-10-18 07:06:33 0 d-----w- c:\docume~1\alluse~1\applic~1\ParetoLogic
2009-10-18 03:54:09 0 d-----w- c:\docume~1\alluse~1\applic~1\F-Secure
2009-10-17 23:12:40 0 d-----w- c:\program files\Norton Support
2009-10-15 22:49:02 3245 ----a-w- c:\windows\system32\wbem\Outlook_01ca4de9b0b6511c.mof
2009-10-14 23:06:14 3245 ----a-w- c:\windows\system32\wbem\Outlook_01ca4d22ed9fb8d8.mof
2009-10-11 05:41:49 0 ----a-w- c:\windows\hpqEmlSz.INI
2009-10-10 20:23:05 0 d-----w- c:\docume~1\alluse~1\applic~1\ZoomBrowser
2009-10-10 19:07:59 0 d-----w- C:\downloads
2009-10-10 19:07:59 0 d-----w- c:\docume~1\curren~1\applic~1\GrabPro
2009-10-10 18:01:46 0 d-----w- c:\docume~1\alluse~1\applic~1\IM
2009-10-10 18:01:06 0 d-----w- c:\docume~1\alluse~1\applic~1\IncrediMail
2009-10-10 03:18:11 0 d-----w- c:\windows\SxsCaPendDel
2009-10-10 01:10:56 0 d-----w- c:\docume~1\curren~1\applic~1\Tracker Software
2009-10-08 18:30:00 0 d-----w- c:\program files\Pure Networks
2009-10-08 18:28:46 0 d-----w- c:\program files\common files\Pure Networks Shared
2009-10-08 18:15:25 0 d-----w- c:\docume~1\curren~1\applic~1\CBS Interactive
2009-10-08 18:11:52 0 d-----w- c:\windows\system32\custom matrices
2009-10-08 18:11:43 0 d-----w- c:\windows\system32\QuickTime
2009-10-08 18:11:43 0 d-----w- c:\windows\system32\C2MP
2009-10-04 05:54:58 592 ----a-w- c:\windows\uninstallstickies.bat
2009-10-04 05:54:58 0 d-----w- c:\program files\stickies
2009-10-04 05:54:58 0 d-----w- c:\docume~1\curren~1\applic~1\stickies
2009-10-04 05:40:26 1050296 ------w- c:\windows\system32\wweb32.dll
2009-10-04 05:40:26 0 d-----w- c:\program files\WordWeb
2009-10-04 05:22:00 0 d-----w- c:\docume~1\curren~1\applic~1\WinPatrol
2009-10-04 05:21:53 0 d-----w- c:\program files\BillP Studios

==================== Find3M ====================

2009-10-26 04:24:23 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-25 21:35:00 593920 ------w- c:\windows\system32\ati2sgag.exe
2009-09-23 22:59:26 4481024 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2009-09-23 22:39:28 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
2009-09-23 22:38:26 299520 ----a-w- c:\windows\system32\ati2dvag.dll
2009-09-23 22:21:32 204800 ----a-w- c:\windows\system32\atipdlxx.dll
2009-09-23 22:21:14 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2009-09-23 22:21:00 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2009-09-23 22:20:50 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2009-09-23 22:20:36 155648 ----a-w- c:\windows\system32\ati2evxx.dll
2009-09-23 22:19:14 602112 ----a-w- c:\windows\system32\ati2evxx.exe
2009-09-23 22:17:44 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2009-09-23 22:11:02 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2009-09-23 22:09:18 3506080 ----a-w- c:\windows\system32\ati3duag.dll
2009-09-23 21:58:16 12644352 ----a-w- c:\windows\system32\atioglxx.dll
2009-09-23 21:53:48 2096384 ----a-w- c:\windows\system32\ativvaxx.dll
2009-09-23 21:36:50 65024 ----a-w- c:\windows\system32\atimpc32.dll
2009-09-23 21:36:50 65024 ----a-w- c:\windows\system32\amdpcom32.dll
2009-09-23 21:32:20 561152 ----a-w- c:\windows\system32\atikvmag.dll
2009-09-23 21:31:32 45056 ----a-w- c:\windows\system32\aticalrt.dll
2009-09-23 21:31:18 45056 ----a-w- c:\windows\system32\aticalcl.dll
2009-09-23 21:30:08 167936 ----a-w- c:\windows\system32\atiadlxx.dll
2009-09-23 21:29:42 17408 ----a-w- c:\windows\system32\atitvo32.dll
2009-09-23 21:29:36 3489792 ----a-w- c:\windows\system32\aticaldd.dll
2009-09-23 21:28:58 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2009-09-23 21:27:50 401408 ----a-w- c:\windows\system32\atiok3x2.dll
2009-09-23 21:23:08 638976 ----a-w- c:\windows\system32\ati2cqag.dll
2009-09-11 14:13:26 136704 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-06 18:26:15 604488 ----a-w- c:\windows\system32\TUProgSt.exe
2009-09-06 18:26:13 361288 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-09-04 23:00:58 916430 ----a-w- c:\program files\Apr2006_MDX1_x86.cab
2009-09-04 22:44:40 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-04 22:44:40 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-09-04 22:44:40 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-09-04 22:29:34 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-09-04 22:29:34 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-09-04 22:29:32 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-09-04 22:29:32 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-09-04 22:29:30 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-01 19:55:54 195855 ----a-w- c:\windows\system32\atiicdxx.dat
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 19:04:44 557003 ----a-w- c:\windows\system32\libmplayer.dll
2009-08-27 19:04:32 811835 ----a-w- c:\windows\system32\ff_x264.dll
2009-08-27 19:03:52 4456201 ----a-w- c:\windows\system32\libavcodec.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 18:07:36 328334 ----a-w- c:\windows\system32\ff_kernelDeint.dll
2009-08-25 17:38:04 425040 ----a-w- c:\windows\system32\TomsMoComp_ff.dll
2009-08-25 16:56:56 829781 ----a-w- c:\windows\system32\xvidcore.dll
2009-08-25 16:37:02 146098 ----a-w- c:\windows\system32\libmpeg2_ff.dll
2009-08-19 23:29:07 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-08-11 20:21:26 87552 ----a-w- c:\windows\system32\ac3config.exe
2009-08-07 00:23:46 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 00:23:46 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 00:52:22 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-04 13:54:30 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 13:17:52 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2001-08-23 11:00:00 94784 --sh--w- c:\windows\twain.dll
2008-04-14 10:42:08 50688 --sh--w- c:\windows\twain_32.dll
2009-06-22 09:21:28 8 --sh--r- c:\windows\system32\C9E937767D.sys
2008-04-14 10:41:58 1028096 --sh--w- c:\windows\system32\mfc42.dll
2008-04-14 10:42:02 57344 --sh--w- c:\windows\system32\msvcirt.dll
2008-04-14 10:42:02 413696 --sh--w- c:\windows\system32\msvcp60.dll
2008-04-14 10:42:02 343040 --sh--w- c:\windows\system32\msvcrt.dll
2008-04-14 10:42:04 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 10:42:04 84992 --sh--w- c:\windows\system32\olepro32.dll
2008-04-14 10:42:34 11776 --sh--w- c:\windows\system32\regsvr32.exe

============= FINISH: 14:33:23.01 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:11:00 AM

Posted 07 November 2009 - 10:30 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 023

023
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:00 AM

Posted 08 November 2009 - 01:27 PM

I hope that I attached the logs correctly. I really appreciate your help.

Attached Files



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:00 PM

Posted 08 November 2009 - 07:08 PM

Hi 023,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

There's something strange in the logs. Those two entries that MBAM deletes are being put back by something. It isn't a rootkit though.

I think we should take a better look at the PC and run another rootkit scanner too
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<info.txt (<

Now run Gmer

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Next, providing no surprises on the logs above, we will tackle the trojan entries. :(
Posted Image
m0le is a proud member of UNITE

#5 023

023
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:00 AM

Posted 08 November 2009 - 09:19 PM

I had to go ahead and reinstall my OS because I had to use my computer, but I appreciate you trying to help me.

Thank you,

023

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:00 PM

Posted 09 November 2009 - 08:46 AM

Okay, no problem

---------------------------

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :(

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users